[afroman]

I need good tutorial (with step by step proces) about setting up web forms. I need help with this, cause I want to set some useful forms like: direct e-mail form, anquete (questions for users) and so on...

[Terencentanio]

HTML? Or do you want to use some sort of scripting language along side? 'cos, HTML email forms... in a word... suck.

[Erind]

forms? what is there to know? www.hotscripts.com << tons of scripts. Download the one you want and use it. I use some email script, its called emailer.php i think. I just made another php file, included the emailer.php file and then into the new php file, i inserted some font and other options. WORKS PERFECTLY. NO MYSQL needed.

[afroman]

Thanx - I found "contactus" - as I understand it is for sending mail from web, it is nice and exactly what I need, but I can't install it - so can anyone please explane me step by step how to do it - is there something I should know and it isn't in the "read me file". Really I am beginner at this!

[Terencentanio]

For a start, that's way too complicated.

<?php

if(isset($_POST['submit']))
{
$to = "youremail@whatever.com";
$subject = $_POST['subject'];
$message = $_POST['message'];
mail($to,$subject,$message);
echo "Message sent";
} else {
?>
<form method="POST" action="index.php">
Subject: <input type="text" name="subject">

Message:

<textarea name="message">


<input type="submit" name="submit" value="Send">
</form>
<?
}
?>

[C.Ingram]

Here are a few articles you may be intrested in. It is important to learn proper security at this stage, so you don't have to break old habbits later.

http://lineman.net/article47.html
http://secomgroup.com/cms.php/page.article/number.3/

[Terencentanio]

Heh. All you'll ever really need is:

PHP Code:

if (ereg('[^A-Za-z0-9]', $input))
{  
echo "The input supplied contains non-alphanumerical characters";
exit;
} 


^ for when you only want letters and numbers

PHP Code:

addslashes($input) 


^ When entering a variable value into an SQL query

PHP Code:

stripslashes($output) 


^ When displaying it on a page

... that's all there really is to it. Dunno why some people go way over the top with billions of security checks. If you don't want non-alphanumerical, then don't allow it. If you are using PHP with SQL, add and strip slashes. And always make sure what the user requests is actually available. That's really all you need :S If you DO want to allow non-alphanumerical, just remember to disallow HTML special characters:

PHP Code:

str_replace("&#", "&", $input) 


.. or a variant of that.

[C.Ingram]

Quote:

Originally posted by Terencentanio
Heh. All you'll ever really need is:
...
^ for when you only want letters and numbers
...
^ When entering a variable value into an SQL query
...
^ When displaying it on a page

... that's all there really is to it. Dunno why some people go way over the top with billions of security checks. If you don't want non-alphanumerical, then don't allow it. If you are using PHP with SQL, add and strip slashes. And always make sure what the user requests is actually available. That's really all you need :S If you DO want to allow non-alphanumerical, just remember to disallow HTML special characters:
...
.. or a variant of that.

There are plenty of situations when a little more is required. For example, what if you are checking file names? You may want to allow file names with a-z, 0-9, and other characters such as ., /, -, etc... Many people also neglect to properly decode their data before checking.

What if you check input as sent by the browser? %3B may slip past some checks, but what about when that gets decoded to ; later in your code?

90% of the time what you have mentioned above is enough, but there are always cases when finer control is needed.

[Terencentanio]

Indeedly. You can add to ereg to make it allow _ and - for file names.

I don't think %3B would be decoded. It's usually only 'decoded' when displayed on a page. For example, %20 would remain as %20 in the code, but when it's displayed on a page, it becomes a space. I've never really tried. Lemme go check and I'll come back.

- teh edited:

Hehe. %20 taken from a variable is entered as a space. %20 taken as text is entered as %20.

Oddjobness. Will have to look at how to stop that via another method other than filtering out "%" and disallowing everything other than letters and numbers.

[C.Ingram]

Odd things happen from time to time. Someone can check the value of a user-supplied variable, and call urldecode on it as some point after that. My only real points are flexability is a good thing to have, and the security process shouldn't be over-simplified. People rely too much on one aspect of security to cover them (classic firewall problem) and neglect security at other points.